On Fri, Apr 15, 2022 at 4:04 PM Linus Torvalds
<[email protected]> wrote:
>
> On Fri, Apr 15, 2022 at 3:58 PM Yu Zhao <[email protected]> wrote:
> >
> > BUG_ONs are harmful but problems that trigger them would be
> > presummingly less penetrating to the user base; on the other hand,
> > from my experience working with some testers (ordinary users), they
> > ignore WARN_ON_ONCEs until the kernel crashes.
>
> I don't understand your argument.
>
> First you say that VM_BUG_ON() is only for VM developers.
>
> Then you say "some testers (ordinary users) ignore WARN_ON_ONCEs until
> the kernel crashes".
>
> So which is it?
>
> VM developers, or ordinary users?
>
> Honestly, if a VM developer is ignoring a WARN_ON_ONCE() from the VM
> subsystem, I don't even know what to say.
>
> And for ordinary users, a WARN_ON_ONCE() is about a million times
> better, becasue:
>
> - the machine will hopefully continue working, so they can report the warning
>
> - even when they don't notice them, distros tend to have automated
> reporting infrastructure
>
> That's why I absolutely *DETEST* those stupid BUG_ON() cases - they
> will often kill the machine with nasty locks held, resulting in a
> completely undebuggable thing that never gets reported.
>
> Yes, you can be careful and only put BUG_ON() in places where recovery
> is possible. But even then, they have no actual _advantages_ over just
> a WARN_ON_ONCE.
Generally agreed, and not to belabor this relatively small issue, but in some
environments like cloud or managed client deployments, a crash can actually
be preferable so we can get a dump, reboot the machine, and get things going
again for the application or user, then debug offline. So having the
flexibility to
do that in those situations is helpful. And there, a full crash dump is better
than just a log report with the WARN info, since debugging may be easier with
all the kernel memory.
Jesse
On Fri, Apr 15, 2022 at 04:24:14PM -0700, Jesse Barnes wrote:
> On Fri, Apr 15, 2022 at 4:04 PM Linus Torvalds
> <[email protected]> wrote:
> > And for ordinary users, a WARN_ON_ONCE() is about a million times
> > better, becasue:
> >
> > - the machine will hopefully continue working, so they can report the warning
> >
> > - even when they don't notice them, distros tend to have automated
> > reporting infrastructure
> >
> > That's why I absolutely *DETEST* those stupid BUG_ON() cases - they
> > will often kill the machine with nasty locks held, resulting in a
> > completely undebuggable thing that never gets reported.
> >
> > Yes, you can be careful and only put BUG_ON() in places where recovery
> > is possible. But even then, they have no actual _advantages_ over just
> > a WARN_ON_ONCE.
>
> Generally agreed, and not to belabor this relatively small issue, but in some
> environments like cloud or managed client deployments, a crash can actually
> be preferable so we can get a dump, reboot the machine, and get things going
> again for the application or user, then debug offline. So having the
> flexibility to
> do that in those situations is helpful. And there, a full crash dump is better
> than just a log report with the WARN info, since debugging may be easier with
> all the kernel memory.
But for those situations, don't you set panic_on_warn anyway?